Each machine on a computer network is assigned a unique network address. Computers
communicate with each other across networks by connecting to these network addresses.
These numbers, also known as Internet Protocol (IP) addresses, consist of four
groups of numbers, or octets, and can be difficult for people to remember. To
solve this dilemma, a system was developed whereby people can use "friendly"
names that are then translated automatically into IP addresses that computers
use to locate each other and to communicate. These friendly names are called
hostnames, and each machine is assigned one. Groups of these hosts form
a domain. The software that translates these names to network addresses
is called the Domain Name System (DNS).

Before the advent of DNS, HOSTS files were used for name resolution, but as
the Internet quickly grew in size and popularity, HOSTS files became impossible
to maintain and keep current. When the Internet community realized there was
a need for a more manageable, scalable, and efficient name-resolution system,
DNS was created. Since that time, DNS servers have been used on the Internet
almost exclusively.

Before the introduction of Windows 2000, Network Basic Input/Output System
(NetBIOS) names were used to identify computers, services, and other resources
on Windows-based machines. In the early days of Windows networks, LMHOSTS files
were used for NetBIOS name resolution. Later, these names were often resolved
to IP addresses using a NetBIOS Name Server (NBNS). Microsoft's version
of the NBNS was called Windows Internet Naming Service (WINS). With Windows
2000 and now Windows Server 2003, hostnames are used instead of NetBIOS names.
In a Windows Server 2003 domain, DNS is used to resolve hostnames and locate
resources such as network services.

This chapter introduces the Windows Server 2003 implementation of DNS. You'll
learn how to install and configure a DNS server, as well as how to maintain
and monitor it. Having a thorough understanding of the topics presented here
is important to both the exam and on-the-job success.

Installing and Configuring the DNS Server Service

At one time or another, most of us have typed a universal resource locator
(URL) to get to one of our favorite Web sites. Before you can view the Web site
stored on a Web server, that URL you typed must be resolved to an IP address,
and this is where DNS servers come into play.

You might have also heard the term fully qualified domain name(FQDN). An FQDN contains both the hostname and a domain name. It uniquely
identifies a host within a DNS hierarchy. For example,
http://www.bayside.net is an
FQDN. Every FQDN is broken down into different levels, each separated by a
period. In the preceding example, .net is the top-level domain and bayside is
the second-level domain. The top-level domain normally identifies the type of
organization, such as a government organization (gov) or an educational
organization (edu). The second-level domain indicates a specific domain within
that top-level namespace, whereas the third level might indicate a specific host
within that domain. In all cases, DNS servers are used to resolve FQDNs to IP
addresses.

DNS can use two different processes to resolve queries: recursive and
iterative. With a recursive query, the DNS client requires the DNS server
to respond with the IP address of the request or an error message that the
requested name does not exist. The DNS server cannot refer the client to another
DNS server if it cannot map the request to an IP address. When a DNS server
receives a recursive request, it queries other DNS servers until it finds the
information or until the query fails.

With an iterative query, the DNS server uses zone information and its
cache to return the best possible answer to the client. If the DNS server does
not have the requested information, it can refer the client to another DNS
server.

A DNS request is sent to the local DNS server. This can be a DNS server
on the client's local network or a DNS server at the client's Internet
service provider (ISP).

Before forwarding the request to a root server, the DNS server checks its
local cache to determine whether the name has recently been resolved. If there
is an entry in the local cache, the IP address is returned to the
client.

If no entry exists in the cache for the hostname, the request is sent by
the DNS server to a root name server.

The root name server refers the DNS server to a name server responsible
for the first-level domain within the hostname. For example, the root name
server would refer the request to the bayside.net DNS server.

The original DNS server is referred to second-level DNS servers, and then
third-level DNS servers, until one of them can resolve the hostname to an IP
address and return the results back to the client.

Now that you have a general idea what happens when a DNS client attempts to
connect to another computer using a hostname, let's take a look at the
types of roles that can be assigned to Windows Server 2003 DNS.

Implementing Windows 2003 DNS Server Roles

You can configure a DNS server in one of three possible roles. The role the
server plays depends on the configuration of zone files and how they are
maintained. The zone files contain configuration information for the zone as
well as the resource records.

NOTE

A zone file contains the resource records for a portion of the DNS namespace.
Resource records map hostnames to IP addresses. Both of these topics are covered
later in this chapter, in the section "Creating Resource Records."

The three possible DNS server configuration roles are as follows:

Caching-only server

Primary server

Secondary server

Keep in mind when you are planning DNS server roles that a single DNS server
can perform multiple roles. For example, a DNS server can be the primary server
for one zone and at the same time be a secondary server for another DNS
zone.

Caching-only Server

All DNS servers maintain a cache.dns file that contains a list of
all Internet root servers. Any time a DNS server resolves a hostname to an IP
address, the information is added to the cache file. The next time a DNS client
needs to resolve that hostname, the information can be retrieved from the cache
instead of the Internet.

Caching-only servers do not contain any zone information, which is the
main difference between them and primary and secondary DNS servers. The main
purpose of a caching-only server (other than providing name resolution) is to
build the cache file as names are resolved. They resolve hostnames, cache the
information, and return the results to the client. Because these servers hold no
zone information, either hostnames are resolved from the cache or else another
DNS server is required to resolve them.

Caching-only servers are useful when you need to reduce network traffic.
Again, because there is no zone information, no zone transfer traffic is
generated (meaning that no information is replicated between DNS servers).
Hostname traffic is also reduced as the cache file is built up because names can
be resolved locally using the contents of the local DNS server's cache

CAUTION

It's important to understand when caching-only servers should be
implemented. Caching-only servers are useful when there are remote locations
that have slow WAN links. Configuring a caching-only server in these locations
can reduce WAN traffic that would normally be generated between primary and
secondary DNS servers, and can speed up hostname resolution after the cache file
has been established.

Primary Server

A primary DNS server hosts the working (writable) copy of a zone file. If you
need to make changes to the zone file, it must be done from the server that is
designated as the primary server for that zone. For those of you who are
familiar with Windows NT 4.0, this is similar to how the primary domain
controller (PDC) maintains the working copy of the directory database. After a
server has been configured as a primary DNS server for a zone, it is said to be
authoritative for that domain. Also, a single DNS server can be the primary DNS
server for multiple zones.

Secondary Server

A secondary server gets all its zone information from a master DNS server.
The secondary DNS server hosts a read-only copy of the zone file, which it gets
from the primary server or another secondary DNS server. Through a process known
as a zone transfer, the master DNS server sends a copy of the zone file
to the secondary server.

NOTE

PreWindows 2000 implementations of DNS supported only full transfers,
in which an update to the zone file resulted in the entire zone database being
transferred to the secondary servers. Windows Server 2003 (as well as Windows
2000 DNS) supports incremental zone transfers, so the secondary servers can
synchronize their zone files by pulling only the changes. This results in less
network traffic.

For example, if Server2 is configured as a secondary server for bayside.net,
Server2 would get all of its zone information from Server1, the primary DNS
server for the zone. Any changes that need to be made to the zone file would
have to be done on Server1. The changes would then be copied to Server2. As
already mentioned, a DNS server can be both a primary and a secondary server at
the same time. Using this example, Server2 could also be configured as the
primary server for riverside.net, and, to provide fault tolerance for the zone
file, Server1 could be configured as a secondary server for this zone.

Secondary DNS servers provide the following benefits:

Fault toleranceBecause the secondary server has a copy of
the zone file, name resolution can continue if the primary DNS server becomes
unavailable.

Reduction in name-resolution trafficSecondary servers can be
placed in remote locations with a large number of users. Clients can then
resolve hostnames locally instead of having to contact a primary DNS using a WAN
link.

Load balancingName-resolution services for a zone can be
provided by the secondary server as well, thereby reducing the load placed on
the primary DNS server.

Installing DNS

DNS can be installed in several ways. It can be added during the installation
of Windows Server 2003, after installation using the Configure Your Server
Wizard, or through the Add or Remove Programs applet in the Control Panel. DNS
can also be installed when promoting a server to a domain controller using the
DCPROMO command.

The only real requirement for installing DNS is Windows Server 2003 Server.
It cannot be installed on a computer running Windows XP. Also, if you are using
Dynamic Host Configuration Protocol (DHCP) on the network to assign IP
addresses, it's generally a good idea to configure the DNS server with a
static IP address that is outside the range of addresses included in the DHCP
scope.

To install the DNS Server service using the Add or Remove Programs applet
within the Control Panel, perform the following steps:

Click Start, point to Control Panel, and click Add or Remove
Programs.

Click Add/Remove Windows Components.

Highlight Networking Services from the Components list and click the
Details button.

From the list of components, select Domain Name System (DNS). Click OK
and then click Next.

After the necessary files are copied, click Finish.

Close the Add or Remove Programs applet.

Configuring DNS Server Options

When DNS is installed, the DNS management console is added to the
Administrative Tools menu. From the management console, you can manage all
aspects of a DNS server, from configuring zones to performing management tasks.

A number of options can be configured for a DNS server. By right-clicking the
DNS server within the management console and selecting the Properties option,
the Properties window for the server is displayed (see Figure
3.1).

Figure
3.1 After installing the DNS service, you can configure DNS server options
through the server's Properties dialog box.

The available tabs from the DNS server Properties sheet and their uses are
summarized as follows:

InterfacesUsing this tab, you can configure the interfaces
on which the DNS server will listen for DNS queries.

ForwardersFrom this tab, you can configure where a DNS
server can forward DNS queries that it cannot resolve.

AdvancedThis tab allows you to configure advanced options,
determine the method of name checking, determine the location from which zone
data is loaded, and enable automatic scavenging of stale records.

Root HintsThis tab enables you to configure root name
servers that the DNS server can use and refer to when resolving
queries.

Debug LoggingFrom this property tab, you can enable
debugging. When this option is enabled, packets sent and received by the DNS
server are recorded in a log file. You can also configure the type of
information to record in the file.

Event LoggingThe Event Logging tab enables you to configure
the type of events that should be written to the DNS event log. You can log
errors, warnings, and all events. You can also turn off logging by selecting No
Events.

MonitoringThe Monitoring tab can be used to test and verify
the configuration by manually sending queries against the server. You can
perform a simple query that uses the DNS client on the local server to query the
DNS service to return the best possible answer. You can also perform a recursive
query in which the local DNS server can query other DNS servers to resolve the
query.

SecurityThis tab enables you to assign permissions to users
and groups for the DNS server.

Configuring DNS Zone Options

After you have installed the DNS Server service, your next step is to create
and configure zones (unless the DNS server is not authoritative for any zones).

A zone is basically an administrative entity. A zone is nothing more
than a portion of the DNS database that is administered as a single unit. A zone
can contain a single domain or span multiple domains. The DNS server that is
authoritative for a zone is ultimately responsible for resolving any requests
for that particular zone. The zone file maintains all of the configuration
information for the zone and contains the resource records for the domains in
the zone.

Each new zone consists of a forward lookup zone and an optional reverse
lookup zone. A forward lookup zone maps hostnames to IP addresses. When a
client needs the IP address for a hostname, the information is retrieved from
the forward lookup zone. A reverse lookup zone does the opposite. It
allows for reverse queries, or mapping of an IP address back to a hostname.
Reverse queries are often used when troubleshooting with the NSLookup
command.

Zone Types

Windows Server 2003 supports four types of zones:

Standard primary zoneThis type of zone maintains the master
writable copy of the zone in a text file. An update to the zone must be
performed from the primary zone.

Standard secondary zoneThis zone type stores a copy of an
existing zone in a read-only text file. To create a secondary zone, the primary
zone must already exist, and you must specify a master name server. This is the
server from which the zone information is copied.

Active Directoryintegrated zoneThis zone type stores
zone information within Active Directory. This enables you to take advantage of
additional features, such as secure dynamic updates and replication.
Active Directoryintegrated zones can be configured on Windows Server 2003
domain controllers running DNS. Each domain controller maintains a writable copy
of the zone information, which is stored in the Active Directory
database.

Stub zoneThis type of zone is new in Windows Server 2003. A
stub zone maintains only a list of authoritative name servers for a particular
zone. The purpose of a stub zone is to ensure that DNS servers hosting a parent
zone are aware of authoritative DNS servers for its child zones. One of the
advantages of stub zones is that they create a dynamic relationship between the
parent and child. Compared to delegation, which points to a single IP address,
stub zones allow much more flexibility for the administrator because changes in
the child zone are automatically reflected in the stub without making changes to
the configuration.

TIP

Windows Server 2003 now includes a fourth type of DNS zone known as a stub
zone. Because this is a new feature of Windows Server 2003, be prepared to
encounter exam questions related to this topic.

Creating Zones

After the DNS service is installed, you can manage it using the DNS
management console. From this management console, you can begin configuring a
DNS server by creating zones. To create a new zone, follow these steps:

Click Start, point to Administrative Tools, and click DNS. This opens the
DNS management console.

Right-click the DNS server and click New Zone. The New Zone Wizard opens.
Click Next.

Select the type of zone you want to create: primary zone, secondary zone,
or stub zone. You also have the option of storing the zone within Active
Directory, if it is available. (The option to store information within Active
Directory is available only if Active Directory is installed on the local
machine.) Click Next.

Select the type of zone you want to create: a forward lookup zone or a
reverse lookup zone. Click Next.

If you select a forward lookup zone, the Zone Name page appears. Type the
name for the zone, such as bayside.net. Click Next.

If you selected to create a reverse lookup zone, type the network ID (see
Figure 3.2). This is used to create
the in-addra.arpa domain, with subdomains named using the network ID of
the IP address. DNS uses the reverse lookup zone for performing address
to name translations. For example, a network ID of 192.168.1 would be translated
into 1.168.192.in-addra.arpa. Click Next.

Figure
3.2 If you are creating a reverse lookup zone, you must supply the network
ID.

In the Zone File screen, select whether to create a new zone file or to
use an existing one (see Figure 3.3).
This option appears when creating a forward or reverse lookup zone. Click
Next.

Figure
3.3 You must provide a filename for the zone file or select an existing
file.

Specify how the DNS zone will receive updates from DNS client computers.
Three options are available, as shown in Figure
3.4. If the zone is Active Directory integrated, you can allow secure
updates only. You can allow both nonsecure and secure updates, or you can
turn off dynamic updates so that the resource records must be manually updated.
Dynamic updates are covered in more detail later in the chapter in the section
"Dynamic Updates."

Click Finish.

Creating Resource Records

After a zone has been created, it can be populated with resource records. Remember,
if your clients are all running Windows Server 2003, Windows XP, or Windows
2000 and the zone is configured for dynamic updates, the clients can add and
update their own resource records. You can also manually add resource records
to a zone file through the DNS management console. A number of resource records
can be created. To view all of the resource records supported by Windows Server
2003 DNS, right-click a zone and select Other New Records (see Figure
3.5).

Figure
3.4 You must configure how the DNS zone will receive dynamic updates.

Figure
3.5 The next step in zone creation is populating the zone with DNS resource
records.

The following list summarizes some of the more common resource records you
might encounter:

Pointer (PTR) recordPoints to a location in the DNS
namespace. PTR records are normally used for reverse lookups.

Alias (CNAME) recordSpecifies another DNS domain name for a
name that is already referenced in another resource record.

As already mentioned, resource records can be created using the DNS management
console. To create a new host record, simply right-click the zone in which you
want to create the record and select the New Host (A) option. In the New Host
dialog box, type the name and IP address for the host. To automatically create
a pointer record, select the Create Associated Pointer (PTR) Record check box
(see Figure 3.6).

Figure
3.6 You can add a new host record via the DNS management console.

To create additional resource records, simply select the type of record you
want to create and fill in the required information.

NOTE

The NSLookup command can be used to determine the hostname associated
with a specific IP address. To use the NSLookup command, PTR records must
exist.

Configuring DNS Simple Forwarding

DNS servers often must communicate with DNS servers outside of the local
network. A forwarder is an entry that is used when a DNS server receives
DNS queries that it cannot resolve locally. It then forwards those requests to
external DNS servers for resolution.

By configuring forwarders, you can specify which DNS servers are responsible
for handling external traffic. Otherwise, all DNS servers can send queries
outside of the local network, possibly exposing DNS information to untrusted
hosts on the Internet. Configuring forwarding adds another level of security to
the network because only servers identified as forwarders are permitted to
forward queries outside the local network.

Additionally, if all DNS servers were allowed to forward queries outside the
network, the result could be a large amount of unnecessary network traffic. This
can become an important issue if the Internet connection is slow, costly, or
already heavily utilized. Because a forwarder receives queries from local DNS
servers, it builds up a large amount of cache information. This means that many
of the queries received by the forwarder can be resolved from the cache instead
of forwarding the requests outside the local network. This is obviously more
efficient in terms of network traffic.

When a DNS server configured to use forwarding receives a DNS query from a
DNS client, the following process occurs:

When a DNS server receives a DNS query, it first attempts to resolve the
request using its zone information and information within its local
cache.

If the request cannot be resolved locally, the DNS server sends a
recursive query to the DNS server designated as the forwarder.

The forwarder attempts to resolve the query. If the forwarder does not
respond, the DNS server attempts to resolve the request by contacting the
appropriate DNS server, as specified in the root hints. (Root hints list
authoritative root servers for the Internet.)

A DNS server can be configured to send all queries that it cannot resolve
locally to a forwarder, and you can also configure conditional forwarders. With
conditional forwarders, DNS servers are configured to forward requests to
different servers based on the DNS name within the query. When configuring
conditional forwarding, you must specify the following information:

The domain name for which queries will be forwarded

The IP address of the DNS server for which unresolved queries for a
specified domain should be forwarded

To configure DNS forwarders, follow these steps:

Within the DNS management console, right-click the DNS server and click
Properties.

From the Properties window for the DNS server, click the Forwarders
tab.

Under DNS Name, select a domain name. To add a new domain name, click the
Add button.

Under the Selected Domain's Forwarder IP Address list, type the IP
address of the forwarder and click Add.